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Abstract 

In this paper, we extend the topological model that characterizes 
task solvability in crash-failure systems to colorless tasks in Byzantine 
asynchronous systems. We give the first theorem with necessary and 
sufficient conditions to solve arbitrary colorless tasks in such model, 
capturing the relation between the total number of processes, the 
number of faulty processes, and the topological structure of the task's 
simplicial complexes. In the interim, we provide novel asynchronous 
protocols for fc-set agreement and barycentric agreement with optimal 
Byzantine fault tolerance. 
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1 Introduction 



A task is a distributed coordination problem in which each process starts 
with a private input from a finite set, communicates with other processes, 
and eventually decides on a private output, also from a finite set. 

One of the central questions in distributed computing is characterizing 
which tasks can be solved in which models of computation. Tools adapted 
from combinatorial topology have been successful in characterizing task solv- 
ability in synchronous and asynchronous crash-failure models |13j . where 
faulty processes simply halt and fail silently. In this paper, we extend the 
approach to the asynchronous Byzantine model, where communication has 
unbounded delay and faulty processes can display arbitrary behavior. 

We focus on an important class of tasks called colorless tasks |4J, which 
includes well-studied problems such as consensus [S] , k-set agreement [7] , and 
approximate agreement pQ. As explained more formally below, a colorless 
task is one that can be defined entirely in terms of sets of input and output 
values assigned, without the need to specify which value is assigned to which 
process, or how many times an assigned value appears^} 

1.1 Our Contributions 

Our first contribution is to extend the application of the topological model 
from [13J, formerly used to characterize solvability in crash- failure systems, 
to colorless tasks in asynchronous Byzantine systems. This approach leads 
to novel conclusions, suggesting that the model is well-suited and robust 
among a multitude of communication and failure abstractions. Besides, it 
opens up new questions, such as how to further extend the application to 
colored tasks, as well as other timing models. Background information on 
the topological model in distributed computing is presented in Sec. [2] 

Our second contribution is to give new protocols for k-set agreement 
and barycentric agreement in the Byzantine-failure model. It is well-known 
that asynchronous Byzantine consensus is impossible [8] , as well as wait-free 
asynchronous set-agreement [H H3j Q2] . Our protocols limn the boundary 
between the possible and impossible in the presence of Byzantine failures. 
Using powerful algorithmic tools, presented in Sec. [3j our k-set agreement 
and barycentric agreement protocols, which are discussed in Sec. |4j will 
provide the appropriate support for our main theorem. 

1 The renaming task [2] is an example of a task that is not colorless, as each process 
chooses a distinct name. 
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Finally, our principal contribution is to give the first theorem with 
necessary and sufficient conditions to solve arbitrary colorless tasks in the 
asynchronous Byzantine model. The task itself is defined in terms of a pair 
of combinatorial structures called simplicial complexes [HI [15] . Whether a 
task is solvable is equivalent to the existence of a certain structure-preserving 
map between the task's simplicial complexes. This equivalence captures the 
relation between n + 1, the number of processes, t, the number of failures, 
and the topological structure of the task's simplicial complexes^] While an 
analogous characterization has long been known for crash failures |13j . our 
solvability theorem, presented in Sec. [5j is the first such characterization for 
Byzantine failures. 



2 Topological Model 

We now describe some basic notions from combinatorial topology, and how 
they are applied to model concurrent computation. The next section is just 
an overview; for more detail see Munkres |16j or Kozlov |15j . 



2.1 Combinatorial Tools 

A simplicial complex is a finite set V along with a collection of subsets K, of 
V closed under containment. An element of V is a vertex of K. Each set in 
K. is called a simplex, usually denoted by lower-case Greek letters: a, r. A 
subset of a simplex is called a face. The dimension dim(cr) of a simplex a is 
\a\ — 1. We use "/c-simplex" as shorthand for "/c-dimensional simplex", and 
similarly for "/c-face". The dimension dim(/C) of a complex is the maximal 
dimension of its simplices. The set of simplices of K, of dimension at most I 
is a subcomplex of /C, called the l-skeleton of fC, denoted skel £ (/C). 

Let K, and C be complexes. A vertex map f carries vertices of K. to 
vertices of C If / also carries simplices of K, to simplices of £, it is called 
a simplicial map. A carrier map from JC to C takes each simplex a E tC 
to a subcomplex 3>(<r) C £, such that for all a, r G /C, with a C r, we have 
<J?(<t) C 3>(t). A simplicial map (j> : K, — > C is carried by the carrier map 
$ : K, — > 2 C if, for every simplex a G /C, we have 0(c) G 3>(c)- 

Although we have defined simplices and complexes in a purely combina- 
torial way, they can also be interpreted geometrically. An n-simplex can be 
identified with the convex hull of (n + 1) affinely-independent points in the 
Euclidean space of appropriate dimension. This geometric interpretation 



Our results extend to the core/survivor-set model [14] (Section 5.1 1. 
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can be extended to complexes. The point-set underlying such a geometric 
complex K. is called its polyhedron, and is denoted |/C|. 

Given a simplicial map (ft : K — >• L (resp. carrier map $ : JC -> 2 £ ), the 
polyhedrons of every simplex in fC and £ induce a continuous simplicial map 
$ : \K\ — > \C\ (resp. carrier map <& : |/C| — > \2 C \). In that case, cj) is carried 
by <J> if, for every simplex a 6 /C, we have that |<^(o")| C |<3?(<j)|. 

Continuous maps can also induce combinatorial ones, but this requires 
more mathematical machinery. In this work, we need only to use the sim- 
plicial approximation theorem [16], a foundational result in combinatorial 
topology, leaving the details for the interested reader [TBI [15] . 

2.2 Model for Concurrent Computation 

For lack of space, and as we are dealing only with colorless tasks, we use a 
simplified version of the general combinatorial model of j9[ [TO] [TT| \12\ [T3] . 

An initial configuration is an assignment of input values to processes, and 
a final configuration is the analogous for output values. A task specification 
consists of a set of legal initial configurations, and, for each of them, its 
corresponding set of legal final configurations. 

A colorless task |12| is a triple (X, O, A), where X is the input complex, 
O is the output complex, and A : X — > 2° is a carrier map. Each vertex 
in X is an input value, and each simplex is an initial configuration, with 
possible initial configurations closed under inclusion. The output complex 
is analogous in regard to final configurations. Given an initial configuration, 
the carrier map A specifies which final configurations are legal. 

With colorless tasks, only sets of input and output values define valid 
configurations, and such sets are closed under inclusion. Indeed, in k-set 
agreement [?], which is colorless, if a non-faulty process adopts the input 
of another non-faulty process, the initial configuration remains valid, and 
similarly for outputs. Conversely, in renaming [2j, which is colored, the 
specific input /output assignments cannot be manipulated in such ways. 

To illustrate the relation between the carrier map and the task specifi- 
cation, in binary consensus the input complex X has two vertices, labeled 
and 1, joined by an edge, and the output complex O has two isolated 
vertices, labeled and 1. The carrier map A sends each vertex of X to the 
output vertex with the same label, and the edge of X to both vertices of O. 

Non-faulty processes, informally speaking, start on vertices of a simplex 
a in X, and halt on vertices of a simplex r 6 A(c). Multiple processes may 
start on the same input vertex and halt on the same output vertex. Also, 
note that task specifications constrain the behavior of non-faulty processes 
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only. The same task definition is used both for crash and Byzantine failure 
models, with the nature of the failures affecting only protocols (algorithms), 
but not specifications (models). Moreover, the outputs of non- faulty pro- 
cesses depend solely on the inputs of non-faulty processes, which we indeed 
desire for colorless tasks subjected to Byzantine failures. 

Operationally speaking, we have n+1 sequential processed that commu- 
nicate via message-passing through a fully-connected, asynchronous network 
of reliable FIFO channels. Every message sent is eventually delivered after 
a finite, but unbounded delay, with the message's sender reliably identified. 
The processes are asynchronous as well, having no bound on their relative 
speed. Up to t processes might be faulty, displaying arbitrary, "Byzantine" 
behavior. We abstract the asynchronous communication in discrete rounds 
of related messages, in a full- information protocol. 

It follows from prior work |13j^] that in the asynchronous crash-failure 
model, a colorless task (I, O, A) has a i-resilient protocol if and only if: 

Property 2.1. There is a continuous map / : | skel*(X)| -+ \0\ carried by A. 

The principal conclusion of this paper is to show that in the asynchronous 
Byzantine model, a task has a t-resilient protocol if and only if it satisfies 
Property |2.1[ and, in addition, satisfies the following condition: 

n + 1 > t(dim(X) + 2). 

The Byzantine model places new constraints tying together n+1, the number 
of processes, dim(Z) + l, the maximum number of distinct input values in any 
initial configuration, and i, the maximum number of Byzantine processes. 
(In the crash failure model, these values are independent.) 

3 Basic Algorithmic Tools 

Our constructions make use of two well-known constructions from prior 
work: reliable broadcast [31 EJ El HH] and stable vectors [2]. 

3.1 Reliable Broadcast 

Reliable broadcast forces Byzantine processes to communicate consistently 
with other processes. Communication is organized in asynchronous rounds, 

3 Choosing n+1 processes rather than n simplifies the topological notation but slightly 
complicates the computing notation. Choosing n processes makes the opposite trade-off. 
We choose n + 1 for compatibility with prior work. 

4 The condition shown here is a simplified version of the original, reflecting our focus 
on colorless (instead of arbitrary) tasks. 
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where a round may involve several message exchanges. Messages have the 
form (P, r, c), where P is the sending process, r is the current round, and c 
is the actual content. Messages not conforming to this structure can safely 
be discarded. Reliable broadcast gives the following guarantees [3J [6] : 

Non- Faulty Integrity: If a non- faulty P never reliably broadcasts (P, r, c), 
no non- faulty process ever reliable receives (P, r, c) . 

Non- Faulty Liveness: If a non-faulty P does reliably broadcast (P, r, c), 
all non-faulty processes will reliably receive (P, r, c) eventually. 

Global Uniqueness: If two non-faulty processes Q and R reliably receive, 
respectively, (P, r, c) and (P, r, c'), then the messages are equal (c = c'), 
even if the sender P is Byzantine. 

Global Liveness: For two non-faulty processes Q and R, if Q reliably re- 
ceives (P, r, c), then P will reliably receive (P, r, c) eventually, even if 
the sender P is Byzantine. 

The protocol for reliable broadcast is discussed in detail in (3J Ej, and 
works as long as n + 1 > 3t. For completeness, we give the algorithms in 
Appendix [Aj In this text, P.RBSend(M) denotes the reliable broadcast of 
message M by process P, and P.RBRecv(M) the reliable receipt of M by P. 

3.2 Quorums 

Let M. r be the set of all messages reliably broadcast by all processes during 
a discrete round r, and let M\ C M. r be the subset reliably received by a 
non- faulty process Pj. By the global uniqueness of the reliable broadcast, 
if (P, r, c) and (P',r',c') are distinct messages in M\ then the senders are 
distinct: P ^ P. Furthermore, by definition of M[ , we have that r = r' . 

Let Good(A4 r ) denote the set of distinct message contents in M. r that 
were reliably broadcast by the non-faulty processes. We say that a content c 
has a quorum in M[ , written c G Quorum(M[), if c was reliably received in 

from t+ 1 or more different processes. If P has a quorum for c, P knows 
that c was sent by a non-faulty process. Conversely, any content received 
from less than t + 1 processes cannot be trusted - recall that non-faulty 
process outputs must depend only on non- faulty process inputs. 

Algorithm [T] shows the procedure by which non-faulty processes get a 
set of messages containing a quorum. Informally, the procedure eventually 
finishes since all n+1 — t non- faulty processes eventually show up, and, since 
n + 1 — t > t ■ | Good(Ai r )\, some value appears t + 1 or more times. The 
following lemmas states such guarantees, formally proven in Appendix |B| 
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Algorithm 1 P.RecvQuorum(r) 



M <r- 

while \M\ < n — t + 1 or Quorum(M) = do 
upon RBRecv((Q, r, c)) do 

M^MU{(Q,r, c)} 

return M 



Property 3.1. If n + 1 > 3t and n + 1 > i(| G f ood(A^ r )| + 1), RecvQuorum(r) 
eventually returns, and, for any non-faulty process Pj 

\M[\ > n + 1 - t and Quorum(M'[) / 0. 

Property 3.2. After executing RecvQuorum(r), any two non-faulty processes 
Pi and Pj are such that \M[\MJ\ <t. 

3.3 Stable Vectors 

Algorithm [l] ensures that any two non- faulty processes Pj and Pj will collect 
at least n+1 — 2t messages in common. Indeed, we have that \M[\ > n+1 — t 



that I MT nf 



by Property 3.1, and that \ MJ| < t by Property 3.2, which implicates 
> n + 1 - 2t. 



In Algorithm [2j we adapt the stable vectors technique presented in [2] to 
ensure that the two non-faulty processes Pi and Pj have n + 1 — t messages 
in common in Mf and MJ, with a common value in Quorum(M[ n MJ) and 
with sets of messages totally ordered by containment. 

The technique works as follows. (1) P uses RecvQuorumQ to get a set 
of messages M with Quorum(M) 7^ 0. (2) P reliably transmits its report, 
containing those messages. (3) Any further message reliably received in M 
will make P reliably broadcast an updated report of M. (4) P keeps reliably 
receiving reports, stored in a vector R, until it identifies n + 1 — t buddies 
in B, where a buddy is a process Pj whose last report Rj is M. 

The following lemmas show that the procedure terminates and that the 
stable vector properties are indeed provided. Intuitively, any two non-faulty 
processes identify a common non-faulty buddy, which reliably broadcasts 
monotonically increasing reports, guaranteeing the properties. For formal 
proofs, refer to Appendix [Bj We assume that n + 1 > 3t and also that 
n + 1 > t{\Good{M r )\ + 1). 
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Algorithm 2 P.RecvStable(r) 



M, B ^ 

R[x] <- for all < x < n 
M <— RecvQuorum(r) 
4: RBSend((P,r{report},M)) 
while \B\ < n + 1 — t do 

upon RBRecv ((Pj,r,c)) do 
M<- MU{(Pj,r, c)} 
8: RBSend((P,r{report},M)) 

upon RBRecv((ij-, r{report}, Rj)) do 
R[j]^Rj 

12: 

B <- {P x : J?[s] = M, < x < n} 
return M 



Lemma 3.3. For any non- faulty process Pi, the sequence of transmitted 
reports is monotonically increasing. All other non-faulty processes receive 
those reports in such order. 

Lemma 3.4. RecvStable(r) eventually returns. 

Lemma 3.5. After executing RecvStable(r), any two non-faulty processes 
Pi and Pj have (i) \M[ nMJ\>n + l-t; (ii) Quorum(M[ n Mj) / 0; and 
(iii) sets totally ordered by containment: M\ C MJ or MJ C MT. 

4 A;- Set Agreement and Barycentric Agreement 

Our solvability theorem for colorless tasks builds on two novel asynchronous 
Byzantine protocols: A:-set agreement [7], and barycentric agreement |13j . 
which depend, in turn, on our previous communication primitives. 

4.1 fc-Set Agreement 

Recall that in the k-set agreement task, the processes start on vertices of a 
simplex a and halt on vertices of a simplex of skel fc_1 (o"). 

Algorithm [3] shows a k-set agreement protocol assuming dim(cr) = d > 0, 
k > t, and n+1 > t(d+2). At most d+1 distinct values are reliably broadcast 
by non- faulty processes, so | Good(M 1 )\ = d+1. As no more than t messages 
are missed by P, its decision is among the (t+ 1) least-ranked elements, and 
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Algorithm 3 P.KSetAgree(?;) 



RBSend((P,l,w)) 
M <— RecvQuorum(l) 

return least-ranked element in Quorum(M) 



v 




Figure 1: Barycentric sub- 
division of a = {vo, v\, V2}, 
and one of its simplices 
{{vo}, {vo, vx}, {v , vi, v 2 }}. 



non-faulty processes will certainly decide among those (t + 1) least-ranked 
elements, for identical reason. The claim follows as k > t. 



4.2 Barycentric Agreement 

The barycentric subdivision of simplex a is constructed, informally speaking, 
by subdividing a along the barycenters of its faces, as shown in Figure [TJ 
Formally, the barycentric subdivision of a is a simplicial complex Baryc 
whose vertices are faces of a, and whose simplices are chains of distinct 
faces totally ordered by containment. Every m-simplex r G Baryc might 
be written as {ao, . . . , a m }, where do C • • • C a m C a. 

In the barycentric agreement task, non-faulty processes start on vertices 
of a simplex a and halt on vertices of a simplex in Bary a. Formally, for 
each a £ 1, we have A(<r) = Bary a. 

Algorithm [4] shows the barycentric agreement protocol, which assumes 



that dim(cj) = d > and n + 1 > t(d + 2). By Lemma 3.5, for any two 
non- faulty processes Pj and Pj, we have that Mi C Mj or Mj C Mi, and 
also that Quorum(Mi n MA 7^ 0. Therefore, Quorum(Mi) C Quorum(Mj) 
or Quorum(Mj) C Quorum(Mi) , implicating that the decided values, which 
are faces of <r, are totally ordered by containment. 



Algorithm 4 P.BaryAgree(u) 
RBSend((P, 1, {«})) 
M RecvStable(l) 
return Quorum(M) 



S 



5 The Solvability Theorem 



In this section, we enunciate and prove our main theorem: 

Theorem 5.1. A colorless task (X, 0,A) has a i-resilient protocol in the 
asynchronous Byzantine model if and only if 

1. n + 1 > i(dim(X) + 2) and 

2. there is a continuous map / : | skel*(X)| -)■ \0\ carried by A. 

Proof. Conditions imply protocol. Say the map / exists. By the simplicial 
approximation theorem [16] , we know that / has a simplicial approximation 
4> : Bary^skel^X) ^ 0, for some N > 0, also carried by A. The protocol 
for non- faulty processes is shown below, presuming n + 1 > i(dim(X) + 2). 

1. Call the Byzantine fc-set agreement protocol, for k = t + 1, choosing 
vertices on a simplex in skel*(X). 

2. Call the Byzantine barycentric agreement protocol N times to choose 
vertices in Bary^ skel*(X). 

3. Use (f) : Bary^ skel'(X) — > O to choose vertices on a simplex in O. 

Since (ft and / are carried by A, non-faulty processes starting on vertices 
of a € X finish on vertices of r G A(<r). Also, since dim(o") < dim(X), the 
preconditions are satisfied for calling the protocols in steps (1) and (2). 

Protocol implies conditions. Say the protocol exists. We argue by re- 
duction to the crash-failure case. It is known [13] that in the crash fail- 
ure model, if there is a t-resilient protocol, then there is a continuous map 
/ : |skel*(X)| — > \0\ carried by A. But any t-resilient Byzantine protocol 
is also a i-resilient crash-failure protocol, so such a map exists even in the 
more demanding Byzantine model. The other condition is discussed below. 

Number of processes. To show that n + 1 > t(dim(T) + 2) is necessary 
in the Byzantine-failure model, we see how the (t + l)-set agreement task 
has no solution ift + 2<n+l< t(dim(X) + 2). Take an execution where 
Byzantine processes crash before taking any steps. If, for every v £ a € X, 
t or fewer non-faulty processes have v as input, any non- faulty process P 
is unable to "trust" any other values, which makes (t + l)-set agreement is 
impossible. □ 
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5.1 Non-independent Faults 

The t-resilient model presumes independent, identically distributed process 
failures, but in practice they correlate to the same processor, machine, etc. 

The core/survivor-set model of Junqueira and Marzullo |14j assumes an 
adversarial scheduler that defines sets of possibly faulty /correct processes. 
Our algorithms and theorem do apply to this extended failure model - we 
give below some intuition on why they remain applicable. 

In the reliable broadcast, quorum, and stable vector protocols, we rede- 
fine the variable t to be c — 1, one less than the minimum core size. Now, 
processes can always wait for (n + 1) — (c — 1) = n + 1 — t messages, which 
preserves our correctness arguments for these protocols, still allowing us to 
solve c-set agreement and bary centric agreement. The solvability theorem 
for non-independent faults is stated below, and the trivial changes required 
for its demonstration are highlighted in Appendix [C] for completeness. 

Theorem 5.2. A colorless task (I, O, A) has a protocol in the asynchronous 
Byzantine model with core size c if and only if n + 1 > (c — 1) • (dim(X) + 2) 
and there is a continuous map / : | skel c_1 (X)| — > \0\ carried by A. 

6 Conclusion 

In this work, we give the first necessary and sufficient conditions for the 
solvability of arbitrary colorless tasks in asynchronous Byzantine systems. 
This particular characterization is interesting per se, as previous, analogous 
results exist for crash- failure systems [13]. However, this work also evi- 
dences (i) the power and suitability of the combinatorial topology tools, and 
(ii) novel, yet simple algorithms for the fundamental /c-set agreement and 
barycentric agreement problems in asynchronous Byzantine systems. 

We saw how combinatorial topology tools can produce novel results in 
distributed computing by virtue of being capable to support existential ar- 
guments without complicated, model-specific constructive arguments. In- 
deed, we used or slightly adapted basic communication primitives (reliable 
broadcast, quorums, stable vectors) and straightforward algorithmic tools 
(fc-set agreement and barycentric agreement) to demonstrate our solvability 
theorem, relying on powerful, model-independent observations from combi- 
natorial topology to complement the proof. 

Our necessary and sufficient conditions capture the relation between the 
number of processes, the number of failures, and the topological structure 
of the task's simplicial complexes. Hence, the solvability of asynchronous 
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Byzantine tasks depend on the ratio between benign and faulty processes 
(or core size), taking into account the input and output complexes. This 
differs from the case of crash- failure systems, and opens similar questions 
for other scenarios, such as synchronous systems and colored tasks, which 
we intend to carry as future work. 
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A Algorithms for Reliable Broadcast 



Algorithms [5] to [7] show the reliable broadcast protocol for sender P, round 
r, and content c. The symbol "•" represents a wildcard, matching any value. 

Algorithm 5 P.RBSend((P, r, c)) 
send(P, r, c) to all processes 



Algorithm 6 P.RBEchoQ 

upon recv(Q, r,c) from Q do 

if never sent (Q,r{echo}, •) then 

send(Q, rjecho}, c) to all processes 

upon recv(-, rjecho}, c) from > n — t + 1 processes do 
if never sent (P, rjready}, •) then 

send(P, rjready}, c) to all processes 

upon recv(-, rjready}, c) from >t+l processes do 
if never sent (P, rjready}, •) then 

send(P, rjready}, c) to all processes 



Algorithm 7 P.RBRecv((P, r, c)) 

recv(-, rjready}, c) from n — t + 1 processes 
return (P, r, c) 
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B Proofs for Communication Primitives 



In this section, we prove lemmas related to quorum and stable vectors. The 
proofs on stable vector guarantees are variations from those in [2]. 



B.l Proof of Property 3.1 



Proof. Since n+1 > 3t, the processes can perform reliable broadcast. Notice 
that the n + l — t messages sent by the non-faulty processes can be grouped 
by their contents: 

n-t+l= | (P r, c) : {(P, r, c) G M r ,P is non-faulty} | . 

ce Good(M r ) 

If every content c in Good(A4 r ) was reliably broadcast by at most t non- 
faulty processes, we would have n+l — t < \ Good (M r )\ -t, which contradicts 
the hypothesis. Hence, at least one content in Good(M r ) was reliably broad- 
cast by more than t + 1 non-faulty processes. By the non- faulty liveness of 
the reliable broadcast, such content will eventually be reliably received by 
all non-faulty processes. □ 



B.2 Proof of Property 3.2 



Proof. If \M[ \ Mj \ > t, then MJ missed more than t messages in Ai r , the 
messages reliably broadcast in round r. However, this contradicts the fact 
that \MJ\ > n + 1 — t with MJ being obtained by reliable broadcast. □ 

B.3 Proof of Lemma [3731 

Proof. First, note that the set M of Pj is monotonically increasing, so the 
sequence of transmitted reports is also monotonically increasing. As we as- 
sume FIFO channels, any other non-faulty process Pj receives those reports 
in the same order. □ 



B.4 Proof of Lemma 13.41 

Proof. Consider 5, the set of all messages reliably received by at least one 
non- faulty process. By the non- faulty liveness of the reliable broadcast, all 
non-faulty processes will eventually obtain M = S, which is never expanded, 
or we would contradict the definition of S. All non- faulty processes then send 
reports 1Z = S, which are final, for the same reason as before. 



13 



Again, by the non-faulty liveness property of the reliable broadcast, all 
these processes will eventually receive n + 1 — t reports 1Z. By the mono- 



tonicity of received reports (Lemma 3.3) and FIFO message delivery, those 



reports are not overwritten, matching the local M = S. The non-faulty 
processes then return from RecvStableQ. □ 

B.5 Proof of Lemma 13.51 

Proof. Call V\ the set of processes whose reports are stored in R for process 
Pi and round r. Since all reports are transmitted via reliable broadcast, 
and every non- faulty process collects n + 1 — t reports, \V\ \ Vj\ < t with 
\Vi \ > n + 1 — t, which implies that \V\ Pi PJ| > n + 1 — It. In other words, 
any two non-faulty processes identify n + 1 — It > t + 1 buddies in common, 
including a non-faulty process Pk- Therefore, M[ = R' k and MJ = 
where R' k and R' k are reports sent by Pk at possibly different occasions. 

Since the set M£ is monotonically increasing, either R' k C R k or R' k C 
R' k , guaranteeing property (iii). Both R' k and R k contain R^, the first report 



sent by P^, by Lemma 3.3 Since \Rk\ > n + 1 — t and Quorum(R k ) ^ 0, by 



Lemma 3.1 we guarantee properties (i) and (ii). □ 
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C Solvability for Non-independent Faults 



We here overview the changes in the proof of our solvability theorem between 
its principal formulation, and in the one following the model of Junqueira 
and Marzullo p3j. The overall proof structure is identical to the one for 



Theorem 5.1 so we only highlight some details, which are trivial. 



Proof. Conditions imply protocol. Assuming the map / exists, proceed as 
before, but use the c-set agreement protocol to jump to skel 0-1 ^)- The 
application of the barycentric agreement protocol and of the simplicial ap- 
proximation theorem remain identical. 

Protocol implies conditions. Assuming the protocol exists, we again re- 
duce to the crash-failure case. It is known [12] that in the crash failure 
model, if there is a protocol with core size c, then we will have a continuous 
map / : | skel c ~ (X)| — > \0\ carried by A, which suffices for our reduction. 

Number of processes. Since we have defined c = t + 1, the argument 
holds verbatim. □ 
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